aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers
diff options
context:
space:
mode:
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers')
-rw-r--r--straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers98
1 files changed, 0 insertions, 98 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers b/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers
deleted file mode 100644
index d5f2243..0000000
--- a/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers
+++ /dev/null
@@ -1,98 +0,0 @@
-# Lenient profile that is intended to be used when 'Ux' is desired but
-# does not provide enough environment sanitizing. This effectively is an
-# open profile that blacklists certain known dangerous files and also
-# does not allow any capabilities. For example, it will not allow 'm' on files
-# owned be the user invoking the program. While this provides some additional
-# protection, please use with care as applications running under this profile
-# are effectively running without any AppArmor protection. Use this profile
-# only if the process absolutely must be run (effectively) unconfined.
-#
-# Usage:
-# Because this abstraction defines the sanitized_helper profile, it must only
-# be included once. Therefore this abstraction should typically not be
-# included in other abstractions so as to avoid parser errors regarding
-# multiple definitions.
-#
-# Limitations:
-# 1. This does not work for root owned processes, because of the way we use
-# owner matching in the sanitized helper. We could do a better job with
-# this to support root, but it would make the policy harder to understand
-# and going unconfined as root is not desirable any way.
-#
-# 2. For this sanitized_helper to work, the program running in the sanitized
-# environment must open symlinks directly in order for AppArmor to mediate
-# it. This is confirmed to work with:
-# - compiled code which can load shared libraries
-# - python imports
-# It is known not to work with:
-# - perl includes
-# 3. Sanitizing ruby and java
-#
-# Use at your own risk. This profile was developed as an interim workaround for
-# LP: #851986 until AppArmor utilizes proper environment filtering.
-
- abi <abi/4.0>,
-
-profile sanitized_helper {
- include <abstractions/base>
- include <abstractions/X>
- include if exists <local/ubuntu-helpers>
-
- # Allow all networking
- network inet,
- network inet6,
-
- # Allow all DBus communications
- include <abstractions/dbus-session-strict>
- include <abstractions/dbus-strict>
- dbus,
-
- # Needed for Google Chrome
- ptrace (trace) peer=**//sanitized_helper,
-
- # Allow exec of anything, but under this profile. Allow transition
- # to other profiles if they exist.
- /{usr/,usr/local/,}{bin,sbin}/* Pixr,
-
- # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
- /usr/{,local/}lib*/{,**/}* Pixr,
-
- # Allow exec of software-center scripts. We may need to allow wider
- # permissions for /usr/share, but for now just do this. (LP: #972367)
- /usr/share/software-center/* Pixr,
-
- # Allow exec of texlive font build scripts (LP: #1010909)
- /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
-
- # While the chromium and chrome sandboxes are setuid root, they only link
- # in limited libraries so glibc's secure execution should be enough to not
- # require the santized_helper (ie, LD_PRELOAD will only use standard system
- # paths (man ld.so)).
- /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
- /usr/lib/chromium{,-browser}/chrome-sandbox PUxr,
- /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
- /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
- /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
- /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr,
- /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
-
- # The same is needed for Brave
- /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
- /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
-
- # Allow running snap applications
- # https://bugs.launchpad.net/apparmor/+bug/2095872
- /usr/bin/snap ux,
-
- # Full access
- / r,
- /** rwkl,
- /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
-
- # Dangerous files
- audit deny owner /**/* m, # compiled libraries
- audit deny owner /**/*.py* r, # python imports
-}